The General Data Protection Regulation

Frequently Asked Questions [FAQs]

1. What is the GDPR?

GDPR stands for the General Data Protection Regulation (Regulation (EU) 2016/679). The new European Union Regulation is set to replace the current Data Protection Directive (95/46/EC) as well as the Cyprus Data Protection Law of 2001 [and amendments of 2003]. The aim of the Regulation is to ease and safeguard the flow of personal data across the 28 EU Member States. Being an EU Regulation, it is directly applicable to each Member State’s national law.

2. When will the GDPR come into effect?

The GDPR has been approved by the EU Parliament on April 14th 2016 and will come into effect on May 25th 2018.

3. Who does the GDPR affect?

The new legal framework mainly affects businesses offering goods or services or performs monitoring of EU-based individuals, be it these are customers, prospects, contractors or employees. It also affects any businesses located outside the EU, which hold or process personal data of individuals residing within the EU.

4. What we mean by personal data and special categories of personal data?

Personal data are any information relating to an individual, whether it relates to his or her private, professional or public life. It can be a name, an address, a telephone number, an email address, bank details, or an IP address or a combination of them. Special categories of personal data, also known as sensitive personal data, which uniquely identify a person, are classified in the GDPR as sensitive data, like genetic and biometric information. Sensitive data are under very strict processing restrictions, like the stricter handling of that data such as the need to provide explicit consent.

5. What does "processing" mean?

Processing means anything that is done to, or with, personal data (including simply collecting, storing or deleting those data). This definition is significant because it clarifies that the EU data protection law is likely to apply wherever an organisation does anything that involves or affects personal data.

6. What are the key principles that each businesses should follow when processing personal data?

Personal data should be processed lawfully, fairly and in a transparent way.

Collection of personal data should be relied on an explicit reason for being collected

The requested data must be only limited to what is necessary for the specific service to be carried out.

Personal data should be accurate and updated at regular intervals.

Personal data should not be kept for longer than necessary.

Data should be processed in a manner that safeguards the security of the personal data.

7. What is the difference between a data processor and a data controller?

A controller is the entity that determines the purposes, conditions and means of the processing of personal data. The controller is the one who collects the data from the data subject.

The processor is an entity which processes personal data on behalf or upon the request of the controller.

However, if you are a controller, the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

For example, a bank is a controller while an external vendor of the bank, such as an IT company, is a processor.

8. What rights will individuals have under GDPR?

One of the key ways the GDPR issue affects all organisations is the new extended set of rights granted to individuals, as outlined below:

Right to be informed - Organisations need to be clear and transparent on how they use personal data, which would typically be displayed through the organisation’s Privacy statement.Right of access - Individuals are entitled to know what information is held about them and how it’s processed. They should be able to gain unlimited access to this information.Right of rectification - Individuals are entitled to have their personal data corrected in case they are inaccurate or incomplete.Right to erasure (also known as the right to be forgotten) - Individuals have the right to request the removal of personal data where there is no compelling reason for its continuing with their processing. Right to restrict processing - Individuals have a right to request to block or suppress processing of their personal data. This however may be declined by the organisation on a number of grounds.Right to data portability - The right to data portability allows individuals to receive a copy of their personal data and transfer them from one IT environment to another, safely and securely.Right to object - Individuals have the right to object to the use of their personal information in certain circumstances. Right to not be subject to automated decision making - In specific circumstances, individuals have the right not to be the subject of a decision which has either a legal bearing on them, and is based on automated processing. This however may be declined by the Bank on a number of grounds.Right to lodge a complaint - If individuals have exercised any or all of their data protection rights and still feel that their concerns about how the organisation uses their personal data have not been adequately addressed by the organisation, they have the right to lodge a complaint with the Office of the Commissioner for Personal Data Protection at http://www.dataprotection.gov.cy/.

The Bank enables individuals to address their data protection concerns by submitting a complaint at www.bankofcyprus.com.cy.

9. What are the penalties in case of non- compliance?

For infringements relating to transparency of information and communication, or data processing organizations could be fined up to EUR10M or 2% global turnover, whichever is higher. For infringements relating to data processing, consent, data subject rights and actual data breaches, organizations could be fined up to EUR20M or 4% of global turnover, whichever is higher.

10. What is a Privacy statement?

If an organisation holds information on individuals, they must provide a detailed explanation on these, like what information they hold on them, how their data is processed and where it is kept. This can be done through a Privacy statement which should be made publicly available to them. The GDPR accordingly states that this statement should be clear, easy to access and free of charge.The Privacy statement for the Bank of Cyprus can be found at our website www.bankofcyprus.com.cy and also or at any branch of the Bank.

11. What are the lawful bases of processing and when is consent required?

Any processing of personal data must be lawful and fair, transparent to data subjects while any information and communication regarding personal data is easily accessible and easy to understand.The organisation identifies below the lawful basis for any processing of personal data when:

They have obtained direct consent from the individual or the data subject, to the processing of his/her personal data;

There is a necessity to perform a contract- processing is needed in order to enter into or perform a contract;

For protecting the vital interests of the individual-it is vital that specific data are processed for matters of life and death;

There are legal obligations of the organisation- the organisation is obliged to process personal data for a legal obligation [ e.g. for compliance to anti money laundering regulations];

There is a necessity for the public interest- processing by public authorities and organisations in the scope of public duties and interest; and

There is a legitimate interest for the organisation- There should be a compelling justification for processing and using personal data or when the organisation uses it in a way people would reasonably expect. It is also important to conduct a legitimate interests’ assessment and keep records of it.

12. When can personal data be transferred outside of the EU?

There are restrictions on the transfer of personal data, outside the EU, to other countries or international organisations, imposed for the protection of individuals and their personal data as provided by the Regulation. Transfers require the approval of the Commissioner for Personal Data Protection while in certain other cases to inform the Commissioner.The transfer of personal data outside the EU is only allowed, provided certain conditions are met for example:

where the European Commission has designated a third country or an international organisation as providing an adequate level of personal data protection; or

where model contracts exist based on agreements on transfers made between organisations within a group, called standard data protection clauses or binding corporate rules; or

In addition, a transfer may be made where the individual has provided specific consent, it is necessary for the performance of a contract between the individual and the organisation if:

it is necessary for reasons of public interest,

it is necessary for the establishment, exercise or defence of legal claims,

it is necessary to protect the vital interests of the data subject or other persons.

13. Does my company need to appoint a Data Protection Officer (DPO)?

Organisations are required to appoint a Data Protection Officer (DPO) if its main activities involve the processing of personal data on a large scale and/or involve continuous monitoring of personal data.The DPO be an employee of the organisation, only if his duties do not conflict with his role as a DPO, or he can be outsourced.

14. What are the DPO’s responsibilities under GDPR ?

The responsibilities of the DPO, as defined in Article 39, are briefly are as follows:

Το inform and advise the organisation and staff about their obligations under the GDPR;

Το monitor compliance with the GDPR by the controller or processor;

Το advise on data protection impact assessments and monitor their performance; and

Cooperate and liaise with the supervisory authority on data processing-related issues.

The contact details of the assigned DPO of Bank of Cyprus are shown on the Privacy statement for the Bank of Cyprus and updated on our website at www.bankofcyprus.com.cy

15. What are the rules on security under the GDPR?

GDPR safeguards personal data by ensuring they are processed in a manner that ensures their security, including protection against unauthorised or unlawful processing as well as against accidental loss, destruction or damage. Organisations should have appropriate technical or organisational measures in place to prevent such personal data leaks or unlawful processing.